CVE-2023-38286: 
Java vulnerability analysis and mitigation

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This vulnerability was discovered on July 14, 2023, and primarily affects applications using Spring Boot Admin with specific configurations (NVD).

The vulnerability is characterized by a sandbox bypass that enables attackers to circumvent Thymeleaf's blacklists rather than using reflection-based escapes. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue specifically manifests when Spring Boot Admin is configured with MailNotifier enabled and has write access to environment variables via the UI (NVD, GitHub POC).

When successfully exploited, this vulnerability can lead to Remote Code Execution (RCE) in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI. Additionally, the vulnerability can be exploited for arbitrary file reading if an attacker can modify the template attribute of MailNotifier to point to local files or files under the classpath of the spring-boot-admin application (GitHub POC).

Several workarounds have been recommended to mitigate this vulnerability: 1) Disable any MailNotifier functionality, 2) Disable write access (POST request) on the /env actuator endpoint, 3) Limit the template attribute of MailNotifier to specific options and avoid using http:// or file:/// protocols. For a permanent fix, users should upgrade to versions newer than Spring Boot Admin 3.1.1 and Thymeleaf 3.1.1.RELEASE (GitHub POC).